"You have no idea how much we can f**k with the US," alleged hacker says.

Share this story

Federal prosecutors have accused a UK man of hacking thousands of computer systems, many of them belonging to the US government, and stealing massive quantities of data that resulted in millions of dollars in damages to victims.

Lauri Love, 28, was arrested on Friday at his residence in Stradishall, UK following a lengthy investigation by the US Army, US prosecutors in New Jersey said. According to prosecutors, the attacks date back to at least October 2012. Love and other alleged hackers are said to have breached networks belonging to the Army, the US Missile Defense Agency, NASA, the Environmental Protection Agency, and others, in most cases by exploiting vulnerabilities in SQL databases and the Adobe ColdFusion Web application. The objective of the year-long hacking spree was to disrupt the operations and infrastructure of the US government by stealing large amounts of military data and personally identifying information of government employees and military personnel, a 21-page indictment said.

"You have no idea how much we can fuck with the US government if we wanted to," Love told a hacking colleague in one exchange over Internet relay chat, prosecutors alleged. "This... stuff is really sensitive. It's basically every piece of information you'd need to do full identity theft on any employee or contractor" for the hacked agency.

Further Reading

According to prosecutors, Love used automated scanners to identify vulnerabilities in large ranges of IP addresses. He would then exploit them to inject powerful SQL commands into a site's backend database. He exploited similar types of vulnerabilities in sites that used ColdFusion, the Web application software whose full source code was recently found on a server operated by hackers. The ColdFusion security flaw, which has since been corrected, allowed Love to gain administrator-level access to computer servers without proper login credentials, a separate criminal complaint filed in a Virginia federal court alleged. After breaching the websites, Love allegedly planted backdoor code on the servers that gave him persistent access to the networks so he could return at a later date and steal confidential data.

"Collectively, the hacks described herein substantially impaired the functioning of dozens of computer servers and resulted in millions of dollars of damages to the government victims," the indictment, filed in US District Court in Newark, New Jersey, alleged.

The campaign continued through this month, prosecutors said. They alleged it began no later than October 2, 2012, when Love and his fellow hackers attacked the Engineer R&D website operated by the US Army Corp of Engineers. After exploiting a ColdFusion vulnerability, the hackers obtained a copy of the site's password properties file and exploited it to determine an administrator password for the site.

"Using the stolen administrator's password, the co-conspirators obtained data belonging to the Army Corps, including information regarding the planned demolition and disposal of certain military facilities," prosecutors wrote in the indictment. "The attack was launched from a computer server located in or around Romania, which was leased by defendant Love."

The indictment went on to detail at least nine additional hacks on government and military networks. Other government agencies Love allegedly breached included the Department of Energy, the Department of Health and Human Services, the US Sentencing Commission, and the Regional Computer Forensics Laboratory, according to the criminal complaint filed in Virginia. To cover his tracks, Love allegedly used the Tor privacy service to conceal his IP address and used a series of pseudonyms. He and his colleagues allegedly used pseudonyms on social media sites to publicize the breaches. Despite the effort to remain anonymous, Love allegedly originated at least one attack from an Internet domain that was registered using a PayPal account associated with his lauri.love@gmail.com account.

Love was charged with one count of accessing a US department or agency computer without authorization and one count of conspiracy to do the same. If convicted, he faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense, on each of the two counts.